projects / qtbase-opensource-src.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e21a089) | patch
CVE-2024-39936
authorDebian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Thu, 27 Nov 2025 14:54:31 +0000 (15:54 +0100)
committerSylvain Beucler <beuc@debian.org>
Thu, 27 Nov 2025 14:54:31 +0000 (15:54 +0100)
commitce5a9dfcddaa9351523dd865a51bae4535072e37
tree465538505737b100d95a7e718780a43a4a2676a1tree | snapshot
parente21a089478c98e9eadd2a15bc211d47f0a5bc638commit | diff
CVE-2024-39936

Origin: https://github.com/qt/qtbase/commit/bb1006b789f4ed0183b6ca668a45f75243879cb6
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2025-11-26

From bb1006b789f4ed0183b6ca668a45f75243879cb6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
Date: Tue, 25 Jun 2024 17:09:35 +0200
Subject: [PATCH] HTTP2: Delay any communication until encrypted() can be
 responded to

We have the encrypted() signal that lets users do extra checks on the
established connection. It is emitted as BlockingQueued, so the HTTP
thread stalls until it is done emitting. Users can potentially call
abort() on the QNetworkReply at that point, which is passed as a Queued
call back to the HTTP thread. That means that any currently queued
signal emission will be processed before the abort() call is processed.

In the case of HTTP2 it is a little special since it is multiplexed and
the code is built to start requests as they are available. This means
that, while the code worked fine for HTTP1, since one connection only
has one request, it is not working for HTTP2, since we try to send more
requests in-between the encrypted() signal and the abort() call.

This patch changes the code to delay any communication until the
encrypted() signal has been emitted and processed, for HTTP2 only.
It's done by adding a few booleans, both to know that we have to return
early and so we can keep track of what events arose and what we need to
resume once enough time has passed that any abort() call must have been
processed.

Conflict resolution: adapt to Qt 5 code supporting SPDY as well.

Fixes: QTBUG-126610
Pick-to: 5.12
Change-Id: Ic25a600c278203256e35f541026f34a8783235ae
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit b1e75376cc3adfc7da5502a277dfe9711f3e0536)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
(cherry picked from commit 0fb43e4395da34d561814242a0186999e4956e28)
(cherry picked from commit 2b1e36e183ce75c224305c7a94457b92f7a5cf58)
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
(cherry picked from commit 2b3048b35c4b37bfbfe38b8bde999715806bd7b8)
(cherry picked from commit db8bd4ea27e53753875ec71feed9c5b562b713eb)

Gbp-Pq: Name CVE-2024-39936.diff
src/network/access/qhttp2protocolhandler.cpp diff | blob | history
src/network/access/qhttpnetworkconnectionchannel.cpp diff | blob | history
src/network/access/qhttpnetworkconnectionchannel_p.h diff | blob | history
tests/auto/network/access/http2/tst_http2.cpp diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.